11 years ago · ad96d5ff04
--- a/AUTHORS
+++ b/AUTHORS
@@ -120,6 +120,7 @@ Marko Mikulicic <mmikulicic@gmail.com>
 
															 Markus Fix <lispmeister@gmail.com>
														
 
															 Martin Redmond <martin@tinychat.com>
														
 
															 Matt Apperson <me@mattapperson.com>
														
 
															+Mathieu Le Marec - Pasquet <kiorky@cryptelium.net>
														
 
															 Matt Bachmann <bachmann.matt@gmail.com>
														
 
															 Matthew Mueller <mattmuelle@gmail.com>
														
 
															 Maxim Treskin <zerthurd@gmail.com>
														
--- a/docs/sources/installation/kernel.rst
+++ b/docs/sources/installation/kernel.rst
@@ -25,6 +25,7 @@ If you cannot or do not want to use the "official" kernels,
 
															 here is some technical background about the features (both optional and
														
 
															 mandatory) that docker needs to run successfully.
														
 
															+
														
 
															 Linux version 3.8 or above
														
 
															 --------------------------
														
@@ -39,6 +40,15 @@ The symptoms include:
 
															 - kernel crash causing the machine to freeze for a few minutes, or even
														
 
															   completely.
														
 
															+Additionally, kernels prior 3.4 did not implement ``reboot_pid_ns``,
														
 
															+which means that the ``reboot()`` syscall could reboot the host machine,
														
 
															+instead of terminating the container. To work around that problem,
														
 
															+LXC userland tools (since version 0.8) automatically drop the ``SYS_BOOT``
														
 
															+capability when necessary. Still, if you run a pre-3.4 kernel with pre-0.8
														
 
															+LXC tools, be aware that containers can reboot the whole host! This is
														
 
															+not something that Docker wants to address in the short term, since you
														
 
															+shouldn't use kernels prior 3.8 with Docker anyway.
														
 
															+
														
 
															 While it is still possible to use older kernels for development, it is
														
 
															 really not advised to do so.
														
--- a/lxc_template.go
+++ b/lxc_template.go
@@ -120,7 +120,7 @@ lxc.aa_profile = unconfined
 
															 #  (Note: 'lxc.cap.keep' is coming soon and should replace this under the
														
 
															 #         security principle 'deny all unless explicitly permitted', see
														
 
															 #         http://sourceforge.net/mailarchive/message.php?msg_id=31054627 )
														
 
															-lxc.cap.drop = audit_control audit_write mac_admin mac_override mknod setpcap sys_admin sys_boot sys_module sys_nice sys_pacct sys_rawio sys_resource sys_time sys_tty_config
														
 
															+lxc.cap.drop = audit_control audit_write mac_admin mac_override mknod setpcap sys_admin sys_module sys_nice sys_pacct sys_rawio sys_resource sys_time sys_tty_config
														
 
															 {{end}}
														
 
															 # limits